vuln-list-alt/oval/p9/ALT-PU-2017-2851/definitions.json

{
  "Definition": [
    {
      "ID": "oval:org.altlinux.errata:def:20172851",
      "Version": "oval:org.altlinux.errata:def:20172851",
      "Class": "patch",
      "Metadata": {
        "Title": "ALT-PU-2017-2851: package `python3` update to version 3.5.4-alt2",
        "AffectedList": [
          {
            "Family": "unix",
            "Platforms": [
              "ALT Linux branch p9"
            ],
            "Products": [
              "ALT Server",
              "ALT Virtualization Server",
              "ALT Workstation",
              "ALT Workstation K",
              "ALT Education",
              "Simply Linux",
              "Starterkit"
            ]
          }
        ],
        "References": [
          {
            "RefID": "ALT-PU-2017-2851",
            "RefURL": "https://errata.altlinux.org/ALT-PU-2017-2851",
            "Source": "ALTPU"
          },
          {
            "RefID": "BDU:2016-01470",
            "RefURL": "https://bdu.fstec.ru/vul/2016-01470",
            "Source": "BDU"
          },
          {
            "RefID": "BDU:2016-01683",
            "RefURL": "https://bdu.fstec.ru/vul/2016-01683",
            "Source": "BDU"
          },
          {
            "RefID": "BDU:2018-00112",
            "RefURL": "https://bdu.fstec.ru/vul/2018-00112",
            "Source": "BDU"
          },
          {
            "RefID": "BDU:2021-03140",
            "RefURL": "https://bdu.fstec.ru/vul/2021-03140",
            "Source": "BDU"
          },
          {
            "RefID": "CVE-2015-1283",
            "RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2015-1283",
            "Source": "CVE"
          },
          {
            "RefID": "CVE-2016-0718",
            "RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2016-0718",
            "Source": "CVE"
          },
          {
            "RefID": "CVE-2016-0772",
            "RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2016-0772",
            "Source": "CVE"
          },
          {
            "RefID": "CVE-2016-1000110",
            "RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2016-1000110",
            "Source": "CVE"
          },
          {
            "RefID": "CVE-2016-2183",
            "RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2016-2183",
            "Source": "CVE"
          },
          {
            "RefID": "CVE-2016-4472",
            "RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2016-4472",
            "Source": "CVE"
          },
          {
            "RefID": "CVE-2016-5636",
            "RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2016-5636",
            "Source": "CVE"
          },
          {
            "RefID": "CVE-2016-9063",
            "RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2016-9063",
            "Source": "CVE"
          },
          {
            "RefID": "CVE-2017-9233",
            "RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2017-9233",
            "Source": "CVE"
          }
        ],
        "Description": "This update upgrades python3 to version 3.5.4-alt2. \nSecurity Fix(es):\n\n * BDU:2016-01470: Уязвимость библиотеки парсинга Expat, позволяющая нарушителю вызвать отказ в обслуживании или выполнить произвольный код\n\n * BDU:2016-01683: Уязвимость библиотеки Expat, позволяющая нарушителю вызвать отказ в обслуживании или выполнить произвольный код\n\n * BDU:2018-00112: Уязвимость функции entityValueInitProcessor библиотеки для анализа XML-файлов libexpat, позволяющая нарушителю вызвать отказ в обслуживании\n\n * BDU:2021-03140: Уязвимость алгоритмов шифрования DES и Triple DES, связанная с отсутствием защиты служебных данных, позволяющая нарушителю получить несанкционированный доступ к защищаемой информации\n\n * CVE-2015-1283: Multiple integer overflows in the XML_GetBuffer function in Expat through 2.1.0, as used in Google Chrome before 44.0.2403.89 and other products, allow remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via crafted XML data, a related issue to CVE-2015-2716.\n\n * CVE-2016-0718: Expat allows context-dependent attackers to cause a denial of service (crash) or possibly execute arbitrary code via a malformed input document, which triggers a buffer overflow.\n\n * CVE-2016-0772: The smtplib library in CPython (aka Python) before 2.7.12, 3.x before 3.4.5, and 3.5.x before 3.5.2 does not return an error when StartTLS fails, which might allow man-in-the-middle attackers to bypass the TLS protections by leveraging a network position between the client and the registry to block the StartTLS command, aka a \"StartTLS stripping attack.\"\n\n * CVE-2016-1000110: The CGIHandler class in Python before 2.7.12 does not protect against the HTTP_PROXY variable name clash in a CGI script, which could allow a remote attacker to redirect HTTP requests.\n\n * CVE-2016-2183: The DES and Triple DES ciphers, as used in the TLS, SSH, and IPSec protocols and other protocols and products, have a birthday bound of approximately four billion blocks, which makes it easier for remote attackers to obtain cleartext data via a birthday attack against a long-duration encrypted session, as demonstrated by an HTTPS session using Triple DES in CBC mode, aka a \"Sweet32\" attack.\n\n * CVE-2016-4472: The overflow protection in Expat is removed by compilers with certain optimization settings, which allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via crafted XML data.  NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-1283 and CVE-2015-2716.\n\n * CVE-2016-5636: Integer overflow in the get_data function in zipimport.c in CPython (aka Python) before 2.7.12, 3.x before 3.4.5, and 3.5.x before 3.5.2 allows remote attackers to have unspecified impact via a negative data size value, which triggers a heap-based buffer overflow.\n\n * CVE-2016-9063: An integer overflow during the parsing of XML using the Expat library. This vulnerability affects Firefox \u003c 50.\n\n * CVE-2017-9233: XML External Entity vulnerability in libexpat 2.2.0 and earlier (Expat XML Parser Library) allows attackers to put the parser in an infinite loop using a malformed external entity definition from an external DTD.",
        "Advisory": {
          "From": "errata.altlinux.org",
          "Severity": "Critical",
          "Rights": "Copyright 2024 BaseALT Ltd.",
          "Issued": {
            "Date": "2017-12-28"
          },
          "Updated": {
            "Date": "2017-12-28"
          },
          "BDUs": [
            {
              "ID": "BDU:2016-01470",
              "CVSS": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
              "CWE": "CWE-119",
              "Href": "https://bdu.fstec.ru/vul/2016-01470",
              "Impact": "High",
              "Public": "20160526"
            },
            {
              "ID": "BDU:2016-01683",
              "CVSS": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
              "CWE": "CWE-119",
              "Href": "https://bdu.fstec.ru/vul/2016-01683",
              "Impact": "Low",
              "Public": "20160630"
            },
            {
              "ID": "BDU:2018-00112",
              "CVSS": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
              "CVSS3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
              "CWE": "CWE-611",
              "Href": "https://bdu.fstec.ru/vul/2018-00112",
              "Impact": "High",
              "Public": "20170625"
            },
            {
              "ID": "BDU:2021-03140",
              "CVSS": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
              "CVSS3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
              "CWE": "CWE-200",
              "Href": "https://bdu.fstec.ru/vul/2021-03140",
              "Impact": "High",
              "Public": "20160831"
            }
          ],
          "CVEs": [
            {
              "ID": "CVE-2015-1283",
              "CVSS": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
              "CWE": "CWE-190",
              "Href": "https://nvd.nist.gov/vuln/detail/CVE-2015-1283",
              "Impact": "Low",
              "Public": "20150723"
            },
            {
              "ID": "CVE-2016-0718",
              "CVSS": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
              "CVSS3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
              "CWE": "CWE-119",
              "Href": "https://nvd.nist.gov/vuln/detail/CVE-2016-0718",
              "Impact": "Critical",
              "Public": "20160526"
            },
            {
              "ID": "CVE-2016-0772",
              "CVSS": "AV:N/AC:M/Au:N/C:P/I:P/A:N",
              "CVSS3": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N",
              "CWE": "CWE-693",
              "Href": "https://nvd.nist.gov/vuln/detail/CVE-2016-0772",
              "Impact": "Low",
              "Public": "20160902"
            },
            {
              "ID": "CVE-2016-1000110",
              "CVSS": "AV:N/AC:M/Au:N/C:P/I:P/A:N",
              "CVSS3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
              "CWE": "CWE-601",
              "Href": "https://nvd.nist.gov/vuln/detail/CVE-2016-1000110",
              "Impact": "Low",
              "Public": "20191127"
            },
            {
              "ID": "CVE-2016-2183",
              "CVSS": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
              "CVSS3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
              "CWE": "CWE-200",
              "Href": "https://nvd.nist.gov/vuln/detail/CVE-2016-2183",
              "Impact": "High",
              "Public": "20160901"
            },
            {
              "ID": "CVE-2016-4472",
              "CVSS": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
              "CVSS3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
              "CWE": "CWE-119",
              "Href": "https://nvd.nist.gov/vuln/detail/CVE-2016-4472",
              "Impact": "High",
              "Public": "20160630"
            },
            {
              "ID": "CVE-2016-5636",
              "CVSS": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
              "CVSS3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
              "CWE": "CWE-190",
              "Href": "https://nvd.nist.gov/vuln/detail/CVE-2016-5636",
              "Impact": "Critical",
              "Public": "20160902"
            },
            {
              "ID": "CVE-2016-9063",
              "CVSS": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
              "CVSS3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
              "CWE": "CWE-190",
              "Href": "https://nvd.nist.gov/vuln/detail/CVE-2016-9063",
              "Impact": "Critical",
              "Public": "20180611"
            },
            {
              "ID": "CVE-2017-9233",
              "CVSS": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
              "CVSS3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
              "CWE": "CWE-611",
              "Href": "https://nvd.nist.gov/vuln/detail/CVE-2017-9233",
              "Impact": "High",
              "Public": "20170725"
            }
          ],
          "AffectedCPEs": {
            "CPEs": [
              "cpe:/o:alt:kworkstation:9",
              "cpe:/o:alt:workstation:9",
              "cpe:/o:alt:server:9",
              "cpe:/o:alt:server-v:9",
              "cpe:/o:alt:education:9",
              "cpe:/o:alt:slinux:9",
              "cpe:/o:alt:starterkit:p9",
              "cpe:/o:alt:kworkstation:9.1",
              "cpe:/o:alt:workstation:9.1",
              "cpe:/o:alt:server:9.1",
              "cpe:/o:alt:server-v:9.1",
              "cpe:/o:alt:education:9.1",
              "cpe:/o:alt:slinux:9.1",
              "cpe:/o:alt:starterkit:9.1",
              "cpe:/o:alt:kworkstation:9.2",
              "cpe:/o:alt:workstation:9.2",
              "cpe:/o:alt:server:9.2",
              "cpe:/o:alt:server-v:9.2",
              "cpe:/o:alt:education:9.2",
              "cpe:/o:alt:slinux:9.2",
              "cpe:/o:alt:starterkit:9.2"
            ]
          }
        }
      },
      "Criteria": {
        "Operator": "AND",
        "Criterions": [
          {
            "TestRef": "oval:org.altlinux.errata:tst:1001",
            "Comment": "ALT Linux must be installed"
          }
        ],
        "Criterias": [
          {
            "Operator": "OR",
            "Criterions": [
              {
                "TestRef": "oval:org.altlinux.errata:tst:20172851001",
                "Comment": "libpython3 is earlier than 0:3.5.4-alt2"
              },
              {
                "TestRef": "oval:org.altlinux.errata:tst:20172851002",
                "Comment": "python3 is earlier than 0:3.5.4-alt2"
              },
              {
                "TestRef": "oval:org.altlinux.errata:tst:20172851003",
                "Comment": "python3-base is earlier than 0:3.5.4-alt2"
              },
              {
                "TestRef": "oval:org.altlinux.errata:tst:20172851004",
                "Comment": "python3-dev is earlier than 0:3.5.4-alt2"
              },
              {
                "TestRef": "oval:org.altlinux.errata:tst:20172851005",
                "Comment": "python3-modules-curses is earlier than 0:3.5.4-alt2"
              },
              {
                "TestRef": "oval:org.altlinux.errata:tst:20172851006",
                "Comment": "python3-modules-sqlite3 is earlier than 0:3.5.4-alt2"
              },
              {
                "TestRef": "oval:org.altlinux.errata:tst:20172851007",
                "Comment": "python3-modules-tkinter is earlier than 0:3.5.4-alt2"
              },
              {
                "TestRef": "oval:org.altlinux.errata:tst:20172851008",
                "Comment": "python3-test is earlier than 0:3.5.4-alt2"
              },
              {
                "TestRef": "oval:org.altlinux.errata:tst:20172851009",
                "Comment": "python3-tools is earlier than 0:3.5.4-alt2"
              }
            ]
          }
        ]
      }
    }
  ]
}